Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Sunday, December 20, 2015

New Juniper hack should end NOBUS argument forever

Former Director of the NSA General Hayden outlined the concept of "NOBUS" which he said is "useful in making macro-judgments about vulnerabilities." NOBUS is short for "nobody but us." It means that a particular capability, exploit, or technique is so complicated that nobody but NSA could have pulled it off. Maybe it requires some sort of special access to accomplish. It may be that the technique required some sort of advanced system to develop. Or maybe the discovery of the vulnerability was pure chance and NSA feels like the odds that someone else would discover it are astronomically small. They use the term NOBUS to explain that although the particular technique/exploit/capability would be devastating if used against US interests, there's nothing to worry about because nobody else could pull it off.

The recent Juniper vulnerabilities are especially concerning though when it comes to the NOBUS argument. In fact, they completely destroy the argument. The US has already confirmed they are not behind the attack, and I believe them. But if not the US, then you have to ask who would be behind such an attack?

We can gain some insight by first considering that the hack was very likely performed by government sponsored intelligence. Criminals are generally playing a short game when it comes to cyber crime. Meaning they compromise a network, exfiltrate data, and make use of that data. Planting backdoors in Juniper source code they hoped would eventually make their way into the product base may take years to come to fruition. This completely discounts the effort that might be required to penetrate Juniper's code base and remain hidden. And did they ever remain hidden. Based on a review of the affected platforms, the attackers have had the backdoor in place since 2012. More three years of internal code reviews failed to discover the backdoor code.

But the vulnerabilities themselves are also telling. In particular, CVE-2015-7756 could only really be exploited by an adversary with the ability to intercept VPN traffic. If you don't have the VPN traffic, then the keys to decrypt it are meaningless. The fact that this change would be made to the Juniper code base implies that whoever did it has the ability to intercept VPN traffic en-masse and the ability to process the decrypted traffic.

In the infosec community, we often talk about how any country with good talent can start a network exploitation program. But the resources required to capitalize on the Juniper hack really limits the number of possible suspects. I won't speculate on who I think is responsible for the compromise, but since it wasn't the US, I think we can officially put the NOBUS argument to bed... forever.